Seeking Address: Why Cyber Attacks Are So Difficult to Trace Back to Hackers
Sony, Google, RSA and now Citigroup are just some of the prominent victims of cyber attacks as defenses at large organizations prove porous and attackers elude detection
|
PHISH AND CHIPS: Cyber attackers are known to break into poorly secured computers and use those hijacked systems as proxies through which they can launch and route attacks worldwide. Image: COURTESY OF ERWO1 VIA ISTOCKPHOTO.COM
One common practice that attackers employ to evade detection is to break into poorly secured computers and use those hijacked systems as proxies through which they can launch and route attacks worldwide. Although such attacks are an international problem, there is no international response, which frustrates local law enforcement seeking cooperation from countries where these proxy servers typically reside.
Address unknown
Every day seems to bring news of some new cyber attack. "We're seeing more reports on invasive attacks on a much more regular basis," says Chris Bronk, an information technology policy research fellow at Rice University's James A. Baker III Institute for Public Policy and a former U.S. State Department diplomat.
The hardest problem in finding the source of these attacks is attribution. Each data packet sent over the Internet contains information about its source and its destination. "The source field can be changed [spoofed] by an attacker to make it seem like it's coming from someplace it's not," says Sami Saydjari, president of the cyber-security consultancy Cyber Defense Agency and a former program manager of information assurance at the Defense Advanced Projects Agency (DARPA).
"If your network is under attack and you're trying to find out who's doing it, purely technical means are insufficient for that," says David Nicol, director of the Information Trust Institute at the University of Illinois, Urbana–Champaign. "The way that we assemble complicated networks of computers until recently hasn't been done at all with security in mind except in a cursory way, and that's the fundamental problem."
By way of example, Nicol points out that he uses a virtual private network that connects to a proxy server before connecting him to the Internet. This enables him to encrypt data he sends over the network and protect the identity of his own Internet protocol (IP) address. "I do this to thwart information harvesting that commercial Web sites usually have," he adds. "I've got nothing to hide but that doesn't mean I want information about me harvested and sold."
Unfortunately, such tactics are also employed for malicious purposes. Cyber attackers use viruses, worms and other malware to take control of Internet servers or even personal computers, creating a network of "zombie" computers (also called botnets) under their control that they can use to launch their attacks. As a result, an attack may appear to come from a particular server or computer, but this does not mean the attack originated at that device, Nicol says, adding that often a string of proxies located in different countries are used in an attack, "greatly complicating the legal process of trying to piece it all together."
Spear phishing
One of the primary methods of creating zombies is by getting computer users to unwittingly infect their computers by opening e-mails and Web pages containing malware. "If you look at the way RSA was penetrated, it was not terribly sophisticated, nothing on the order of Stuxnet, which was probably the most sophisticated attack we've seen in recent memory," says Anup Ghosh, a research professor and chief scientist at George Mason University's Center for Secure Information Systems. "Most of these attacks are executed using conventional exploits. What's different is they're using these exploits in new ways."
In the case of RSA hackers used "spear phishing" e-mails to trip up someone within the company, says Ghosh, also the founder and CEO of cyber security technology maker Invincea, Inc. The offending e-mail purported to be a document about staff hiring issues and had been caught by the company's spam filter. The employee opened the e-mail, thinking it had been erroneously quarantined by the filter. The e-mail actually contained an Excel document that, once opened, installed malware on the employee's computer and from there spread to other computers within the company. "This machine wasn't the target, it was the beachhead," Ghosh says.
To make matters worse, RSA CEO Art Coviello confirmed earlier this week that information taken from RSA in March had been used as an element of an attempted broader attack on Lockheed Martin.
Possible defenses
There is no shortage of software and services available for trying to prevent cyber attacks. Many approaches involve scanning incoming data for possible malware and screening spam e-mail laden with viruses or containing suspicious messages.
Beyond having better network intrusion detection systems, "we need a system of cooperative intrusion detection and trace-back among different countries," Saydjari says. "That doesn't solve the problem but it narrows it down. Right now, you can trace traffic back to a particular country, but it's very difficult to get any visibility into where within the country the packets originated."
Another important component of cyber defense is to improve security on the computers themselves. This means operating systems with fewer vulnerabilities—Microsoft distributes dozens of security patches for Windows every month, and that is an improvement over just a few years ago. "That will decrease the number of zombies and increase the level of difficulty with which adversaries can seize control of computers and do this hopscotching from computer to computer," Saydjari says.
Perhaps the most effective defense, however, is for computer users to demonstrate some cyber street-smarts. "You never know what tactic the attackers will take, especially when it comes to spear phishing," Ghosh says. As a result, it is difficult to keep people from being duped into clicking on spam—thinking it is a message from their bank, a delivery service or someone else they think they can trust—and running the risk of infecting their computers with a virus. "You can train and train and train users but you're not going to get to zero percent," he adds.
No comments:
Post a Comment